A Note on the Bivariate Coppersmith Theorem

A Note on the Bivariate Coppersmith Theorem

Jean-S´ebastien Coron¹, Alexey Kirichenko², and Mehdi Tibouchi³

1 Universit´e du Luxembourg 6, rue Richard Coudenhove-Kalergi

l-1359 Luxembourg, Luxembourg jean-sebastien.coron@uni.lu

2 F-Secure Corporation Tammasaarenkatu 7, PL 24

00181 Helsinki, Finland alexey.kirichenko@f-secure.com

3 NTT Information Sharing Platform Laboratories 3–9–11 Midori-cho, Musashino-shi, Tokyo 180–8585, Japan

tibouchi.mehdi@lab.ntt.co.jp

Abstract. In 1997, Coppersmith proved a famous theorem for finding small roots of bivariate polynomials overZ, with important applications to cryptography.

While it seems to have been overlooked until now, we found the proof of the most commonly cited version of this theorem to be incomplete.

Filling in the gap requires technical manipulations which we carry out in this paper.

1 Introduction

In his seminal 1997 paper [1], D. Coppersmith shows how to find small roots of polynomials mod N, as well as bivariate polynomials over the integers. In particular, he proves the following theorem:

Theorem 1 (Coppersmith [1, Th. 2]). Let p(x, y)be an irreducible polyno- mial in two variables overZ, of maximum degree δin each variable. LetX, Y be bounds on the desired solutionsx0,y0. Definep(x, y) =˜ p(xX, yY)and let W be the supremum of the absolute values of the coefficients ofp. If, for some˜ ε >0, XY < W^2/(3δ)−ε2^−14δ/3 (1) then in time polynomial in (logW,2^δ,1/ε), we can find all integer pairs(x0, y0) with p(x0, y0) = 0,|x0|< X and|y0|< Y.

From this, he deduces a widely cited corollary:

Corollary 1 ([1, Cor. 2]). With the hypothesis of Theorem 1, except that XY ≤W^2/(3δ)

then in time polynomial in(logW,2^δ), we can find all integer pairs(x0, y0)with p(x0, y0) = 0,|x0| ≤X and|y0| ≤Y.

For Corollary 1 the following proof is given in [1]: “Setε= 1/logW, and do exhaustive search on the high-order O(δ) unknown bits ofx. The running time is still polynomial, but of higher degree in (logW).”

However, we claim that this proof is incomplete. Carrying out an exhaustive search on the`highest-order bits ofx0essentially amounts to writing:

x₀= 2^−`αX+x⁰₀

where X is assumed to be a multiple of 2^{`</sup> and |x<sup>0</sup><sub>0</sub>| < 2<sup>−`}X, and to doing exhaustive search on αfor|α| ≤2^`. We are thus looking for a solution (x⁰₀, y0) of the polynomial equationq(x, y) = 0 given by

q(x, y) :=p(2^{−`</sup>αX+x, y), (2) where x<sup>0</sup><sub>0</sub> is now bounded in absolute value byX<sup>0</sup> = 2<sup>−`}X instead ofX. Then, in order to apply Theorem 1 for the polynomialq(x, y), one must consider the new bound forq:

Wq = max

ij |qijX⁰ⁱY^j|,

instead of the original bound W = maxij|pijXⁱY^j|. However it isa priori un- clear whether condition (1) will be satisfied for X⁰, Y, and Wq. Namely, the coefficients ofq(x, y) could become very small because of the change of variable in (2), andWq might then be too small for condition (1) to be satisfied. What we show is that this does not in fact happen:Wq can be bounded appropriately so that condition (1) holds forqas well (technically, we show this when exhaustive search is carried out on` bits ofboth xandy, hence with a polynomial slightly different fromq; the argument adapts toqas well, however).

Note that this problem does not occur in the univariate case moduloN, since in that case the condition onX only depends on the modulusN and not on the coefficients of the polynomial.

The gap is also present in other works building upon [1], such as [2, 3], and the fix we propose here applies to those other papers as well.

2 A Proof of Corollary 1

In order to prove Corollary 1, we do exhaustive search on` bits of both xand y, which is similar to the above but somewhat more symmetric. This amounts to writing

x₀= 2^{−`</sup>αX+x<sup>0</sup><sub>0</sub>, y<sub>0</sub>= 2<sup>−`}βY +y₀⁰ and applying Theorem 1 to polynomialsp⁰ of the form

p⁰(x, y) =p(x+ 2^{−`</sup>αX, y+ 2<sup>−`}βY)

with|α|,|β| ≤2^{`</sup>, andx<sup>0</sup><sub>0</sub>andy<sup>0</sup><sub>0</sub> now bounded in absolute value byX<sup>0</sup> = 2<sup>−`}X andY⁰ = 2^{−`</sup>Y, respectively; here we assume wlog thatX andY are multiples of 2<sup>`}. In order to check that the hypotheses of the theorem do indeed hold, we need to estimate the supremum W⁰ of absolute value of the coefficients of

˜

p⁰(x, y) =p⁰(xX⁰, yY⁰).

Lemma 1. The constantW⁰ satisfies

2−2δ(`+2δ+4)−1W ≤W⁰ ≤16^δW.

Proof. We first compute the coefficients of ˜p⁰. For all indicesa,b:

p⁰_ab=

δ

X

i=a δ

X

j=b

i a

j b

pij

αX 2^`

i−aβY 2^`

j−b

˜

p⁰_ab=X^0aY^0b

δ

X

i=a δ

X

j=b

i a

j b

p˜_ij XⁱY^j

αX 2^`

i−aβY 2^`

j−b

˜

p⁰_ab= 2^−(a+b)`

δ

X

i=a δ

X

j=b

i a

j b

˜ p_ijα

2^`

^i−aβ 2^`

j−b

.

Using crude bounds, it follows that

|p˜⁰_ab| ≤1×

δ

X

i=a δ

X

j=b

2^δ·2^δ·W·1·1≤(δ+ 1)²·4^δ·W ≤16^δW,

which is the required upper bound.

Turning to the lower bound, letλbe a real number>2 which will be chosen later. We then let (c, d) denote a pair of indices such thatλ^c+d|˜p_cd|is maximal.

This maximum will be denotedW_λ. We have

˜

p⁰_cd= 2^−(c+d)`

"

˜

p_cd+ X

c≤i≤δ d≤j≤δ (i,j)6=(c,d)

i c

j d

˜ p_ijα

2^`

^i−cβ 2^`

j−d# .

Note further that, sinceλ^i+j|p˜ij|is maximal for (i, j) = (c, d),

|˜pij| ≤λ(c−i)+(d−j)|p˜cd| for alli, j.

We can thus bound the terms in the last sum as follows:

i c

j d

˜ p_ijα

2^`

i−cβ 2^`

j−d

≤2ⁱ·2^j·λ(c−i)+(d−j)|˜p_cd| ·1·1

≤4^δ|˜p_cd| ·λ(c−i)+(d−j). This entails that ˜p⁰_cdis lower bounded in absolute value as

|p˜⁰_cd| ≥2^−(c+d)`|˜p_cd|

"

1−4^δ X

c≤i≤δ d≤j≤δ (i,j)6=(c,d)

λ(c−i)+(d−j)

# .

Now we write X

c≤i≤δ d≤j≤δ (i,j)6=(c,d)

λ(c−i)+(d−j)≤ X

x,y≥0 (x,y)6=(0,0)

λ^−x−y= 1

(1−1/λ)² −1 = 2/λ−1/λ² (1−1/λ)² ≤ 8

λ

since we choseλ≥2. Plugging this into the previous inequality, we obtain

|˜p⁰_cd| ≥2^−(c+d)`|p˜_cd|

1−4^δ·8 λ

≥2^{−(c+d)`−1}|p˜_cd|

if we pickλ= 4^δ+2. Then, observing thatW⁰≥ |˜p⁰_cd|by maximality, and|˜p_cd|= λ^−c−dW_λ≥λ^−c−dW by definition ofcandd, we get

W⁰≥2<sup>−(c+d)`−1</sup>·4−(c+d)(δ+2)W ≥2−2δ(`+2δ+4)−1W

as required. ut

Lemma 2. Under the hypothesis of Corollary 1, namely XY ≤ W^2/(3δ), the following inequality holds forε= 1/log₂W and some large enough`=O(δ):

X⁰Y⁰ ≤(W⁰)^2/(3δ)−ε2^−14δ/3 Proof. Note first that

X⁰Y⁰ ≤2^−2`XY

≤2^−2`W^2/(3δ)

≤2<sup>−2`</sup> 22δ(`+2δ+4)+1W⁰2/(3δ)

≤2−2`/3+8δ/3+16/3+2/(3δ)(W⁰)^2/(3δ)

≤2−2`/3+22δ/3+6(W⁰)^ε·(W⁰)^2/(3δ)−ε2^−14δ/3. Hence, it suffices to show that the logarithm of the first factor

L= log₂ 2−2`/3+22δ/3+6(W<sup>0</sup>)<sup>ε</sup> is negative for some suitable`=O(δ). We have

L=−2 3`+22

3 δ+ 6 +εlog₂W⁰

≤ −2 3`+22

3 δ+ 6 +εlog₂(16^δW)

=−2 3`+22

3 δ+ 6 +ε·(4δ+ log₂W)

≤ −2 3`+34

3 δ+ 7,

since, without loss of generality,ε≤1. Thus, picking any` >17δ+ 11 gives the

required inequality. ut

Corollary 1 is easily deduced from Lemma 2. Indeed, exhaustive search re- quires (2<sup>`+1</sup>+ 1)<sup>2</sup> applications of Theorem 1 (taking into account all positive, negative and zero values ofαandβ), each of which runs in time polynomial in (logW,2<sup>δ</sup>). Since`=O(δ), the whole computation runs in time polynomial in (logW,2^δ) as well.

Note that the bound on`is very coarse, as we did not want to make the com- putation more cumbersome by using tighter inequalities. In practice, however, one could of course get away with far fewer bits of exhaustive search.

References

1. D. Coppersmith, Small Solutions to Polynomial Equations, and Low Exponent RSA Vulnerabilities, Journal of Cryptology, 10(4), 1997, pp. 233–260.

2. J.-S. Coron, Finding Small Roots of Bivariate Integer Polynomial Equations Re- visited, Proceedings of Eurocrypt 2004, LNCS vol. 3027, Springer Verlag, 2004, pp. 492–505.

3. J.-S. Coron, Finding Small Roots of Bivariate Integer Polynomial Equations: A Direct Approach, Proceedings of CRYPTO 2007, LNCS vol. 4622, Springer Verlag, 2007, pp. 379–394.